Zero Day Initiative - CVE-2024-21115: An Oracle VirtualBox LPE Used to Win Pwn2Own
Briefly

from Zero Day Initiative8 months ago
The bug is in function vgaR3DrawBlank called from vgaR3UpdateDisplay, triggered with a single core and 32MB of VRAM. Exploiting it requires at least 65 MB VRAM and 4 cores due to a race condition.
Zero Day Initiativehttps://www.thezdi.com/blog/2024/5/9/cve-2024-21115-an-oracle-virtualbox-lpe-used-to-win-pwn2own
The bug arises from incorrectly multiplying start_addr by 4 in vgaR3DrawBlank, allowing clearing bits outside the bitmap bounds, even if start_addr is below 64MB. Exploiting it can clear bits in heap memory.
Zero Day Initiativehttps://www.thezdi.com/blog/2024/5/9/cve-2024-21115-an-oracle-virtualbox-lpe-used-to-win-pwn2own
The exploit failed with 65MB VRAM due to the insufficient allocation to trigger the bug. With 128MB VRAM, it requires 4 cores to leverage the race condition for successful exploitation.
Zero Day Initiativehttps://www.thezdi.com/blog/2024/5/9/cve-2024-21115-an-oracle-virtualbox-lpe-used-to-win-pwn2own
Setting start_addr beyond 64MB clears bits outside the bitmap, enabling manipulation in heap memory. Triggering the bug involves specific values via ioport communication to zero out a particular bit.
Zero Day Initiativehttps://www.thezdi.com/blog/2024/5/9/cve-2024-21115-an-oracle-virtualbox-lpe-used-to-win-pwn2own
Read at Zero Day Initiative
#vga-device-driver #heap-manipulation #exploit-conditions #vulnerability-assessment
[
|
]